What Is Social Engineering?
Social engineering is typically defined as the gentle means of getting people to follow or comply with the wishes of another to gain access to information or computer systems. The ultimate goal of any individual using social engineering is to acquire information. Typically this acquired information is used to gain unauthorized access into an online system or company server in an effort to steal an identity, commit fraud, or compromise the company’s confidential information or as a way to commit some form of espionage.
Why Social Engineering Works
Most individuals are extremely trusting and helpful. Nearly all of us want to be a good friend, neighbor, associate or confidant. Social engineering takes advantage of basic human behavior through clever manipulation. It preys on the cooperative and helpful inclinations of human beings for an illicit use. Individuals that utilize social engineering are very good at exploiting the vulnerabilities of basic human behavior. They work on the naïveté of individuals that simply want to be liked along with the fear of doing something wrong.
In spite of all the advancements in technology there is not a single system that has been created that can overcome basic human nature. Social engineers recognize that it is humans that will create passwords, utilize the computers, bank online, and enter their confidential credit card numbers when purchasing items over the Internet.
The Psychology of Social Engineering
Any bad individual that has skilled themselves in the techniques of social engineering has the ability to lie convincingly to obtain the information they desire. Successful social engineers generally do a significant amount of groundwork before they make the initial launch of their attack. They will typically research the enterprise or organization that has been targeted for a cyber-attack.
They may gain all the names of every employee in the company along with their email accounts and phone numbers. They may incorporate various techniques utilized by most conmen that include eavesdropping, name dropping, impersonation, and flattery. They may go the other way, and pressure individuals through intimidation or by asserting “their” authority.
There are specific well used techniques that have been proven successful in gaining results through social engineering. While not every technique works on every individual, it only requires one to make the cyber-thief successful. Although these techniques are only a small sample, they include:
- Exploiting Familiarity – Utilizing familiarity is the easiest way to get others to follow. When the online hacker becomes familiar with an individual, nearly anyone will lower their guard. People often act and react in a different way to individuals than to strangers. The social engineer will take their time in developing a friendship, or impersonate an individual or business through emails as a way to phish for information.
- Developing a Hostile Situation – Developing some type of hostile situation is nothing more than a diversionary tactic. It is no different than a magician making the audience look in one hand while he or she does something in the other. Some individuals might believe that one specific action is happening when it actually is something else entirely different.
- Gather and Use the Information – Many social engineers use the ability to go “dumpster diving” seeking information that appears to not be valuable, but really is. They may impersonate a manager or supervisor from another branch or office to ask important or specific questions about the company, other employees or associates. They might also mimic other websites such as Google, Facebook or even a banking institution to gather information from an unsuspecting online user.
- Getting the Job – This tactic is built on making the individual another member of the team. The social engineer builds trust by offering the online user something they likely desire. Offering a piece of candy or reward in return for valuable information is a simple solution to gather information. Of course, the victim never really receives the reward.
- Reading Specific Body Language – While it is not always possible to read body language online, social engineers are very good at reading people. By using phishing scams and other baiting tools they can watch the response of individuals that are reacting to their emails or other tactics. In time, they can direct the user down a pathway where they are more likely to give up pertinent information such as passwords or critical confidential information.
Social engineering works. The process has been around a lot longer than computers. For centuries, conmen have figured out ways of obtaining information from the most unsuspecting individuals. Only by becoming aware can humans avoid the tricks of social engineers and safeguard themselves from compromising confidential information that could hurt them or their company.
Need a way to help defend against social engineering? With some kind of multi-factor authentication in place, a con artist would have to not only obtain a password, but also a second factor of identity. Learn more in this free eBook.